DelphiFAQ Home Search:

How to create SSL socket connection with a custom trusted key store

 

commentsThis article has not been rated yet. After reading, feel free to leave comments and rate it.

Question:

I dynamically add a trusted certificate to Tomcat's trustedKeyStore. How can I make them effective without restarting Tomcat? Basically, I want to force the JVM to re-read the list of trusted keys.

Answer:

You need to create your own custom SSLSocketFactory, which will use a customized SSLContext. In the example below, I created a custom SSLContext where I both specify the keystore and the trusted key store.
You may need to specify the custom trust manager only.

Replace
context.init(kms, tms, null);
with
context.init(null, tms, null);

  String TRUSTED_KEYSTORE = "/etc/ssl/trusted_keys.keystore";
  String trustStorePassword = "secret";
        
        
protected KeyManager[] getKeyManagers() throws IOException, GeneralSecurityException {
                
        String alg=KeyManagerFactory.getDefaultAlgorithm();
        KeyManagerFactory kmFact=KeyManagerFactory.getInstance(alg);
                
        FileInputStream fis=new FileInputStream(TRUSTED_KEYSTORE);
        KeyStore ks=KeyStore.getInstance("jks");
        ks.load(fis, trustStorePassword.toCharArray());
        fis.close();
        
        kmFact.init(ks, trustStorePassword.toCharArray());
        
        return kmFact.getKeyManagers();
}
                        
                        
protected TrustManager[] getTrustManagers() throws IOException, GeneralSecurityException {
                        
        String alg=TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmFact=TrustManagerFactory.getInstance(alg);
                        
        FileInputStream fis=new FileInputStream(TRUSTED_KEYSTORE);
        KeyStore ks=KeyStore.getInstance("jks");
        ks.load(fis, trustStorePassword.toCharArray());
        fis.close();
                                
        tmFact.init(ks);
                         
        return tmFact.getTrustManagers();
}
                        
                        
protected SSLSocketFactory getSSLSocketFactory() throws IOException, GeneralSecurityException {
                
        TrustManager[] tms=getTrustManagers();
                        
        KeyManager[] kms=getKeyManagers();
                
        SSLContext context=SSLContext.getInstance("SSL");
        context.init(null, tms, null);
                 
        return context.getSocketFactory();
}


//
// main code
//

SSLSocketFactory socketFactory = (SSLSocketFactory) getSSLSocketFactory();

clientSocket = (SSLSocket) socketFactory.createSocket(IP_Address, 443);

Comments:

2015-02-01, 00:45:27
anonymous from Germany  
Artlices like this make life so much simpler.

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: